Returning null instead of throwing an exception when an error occurs is the quality of programming I see from junior outsourced developers.
“if (corrupt digital signature) return null;”
is the type of code I see buried in authentication systems, gleefully converting what should be a sudden stop into a shambling zombie of invalid state and null reference exceptions fifty pages of code later in some controller that’s already written to the database on behalf of an attacker.
If I peer into my crystal ball I see a vision of CrowdStrike error handling code quality that looks suspiciously the same.
(If I sound salty, it’s because I’ve been cleaning up their mess since last week.)
>Returning null instead of throwing an exception when an error occurs is the quality of programming I see from junior outsourced developers.
This is kernel code, most likely written in C (and regardless of language, you don't really do exceptions in the kernel at all for various reasons).
Returning NULL or ERR_PTR (in the case of linux) is absolutely one of the most standard, common, and enforced ways of indicating an error state in kernel code, across many OS's.
So it's no surprise to see the pattern here, as you would expect.
“if (corrupt digital signature) return null;”
is the type of code I see buried in authentication systems, gleefully converting what should be a sudden stop into a shambling zombie of invalid state and null reference exceptions fifty pages of code later in some controller that’s already written to the database on behalf of an attacker.
If I peer into my crystal ball I see a vision of CrowdStrike error handling code quality that looks suspiciously the same.
(If I sound salty, it’s because I’ve been cleaning up their mess since last week.)